-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
4.19
-
Quality / Stability / Reliability
-
False
-
-
None
-
Moderate
-
None
-
None
-
None
-
Rejected
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Changing .spec.appsDomain of ingresses.config.openshift.io/cluster to a wildcard domain crashes openshift-apiserver
Version-Release number of selected component (if applicable):
4.19
How reproducible:
100%
Steps to Reproduce:
1. Change appsDomain to have a "*." on it
$ OLD_DOMAIN=$(kubectl get ingresses.config.openshift.io cluster -o jsonpath='{.spec.domain}')
$ NEW_DOMAIN="*.${OLD_DOMAIN}"
$ kubectl patch ingresses.config.openshift.io/cluster --type='json' -p="[{'op': 'replace', 'path': "/spec/appsDomain", "value": \"$NEW_DOMAIN\"}]"
2. Check appsDomain now has the property that breaks it
$ kubectl get ingresses.config.openshift.io cluster -o jsonpath='{.spec.appsDomain}'
*.apps.ci-ln-syqt18t-76ef8.aws-2.ci.openshift.org
3. Wait for a few moments, and check openshift-apiserver Pods are on CLB with the following error:
$ kubectl get pods -n openshift-apiserver -w apiserver-6464d54cd9-6jffn 1/2 CrashLoopBackOff 2 (1s ago) 2m17s apiserver-6464d54cd9-6jffn 1/2 Error 3 (21s ago) 2m37s $ kubectl logs -n openshift-apiserver apiserver-6464d54cd9-6jffn .... F0812 13:58:17.145825 1 cmd.go:74] invalid DNS suffix: *.apps.ci-ln-syqt18t-76ef8.aws-2.ci.openshift.org
4. Removing the field, or removing "*." makes openshift-apiserver come back to life
Expected results:
API validation should not allow setting incorrect FQDNs, and should have proper value validation (dns1123Subdomain)
Additional info:
